I asked them if they knew the devices that were used to access the data? When they accessed the data? What security was on each device? I also asked if they used simple security such as two factor auth everywhere? Crucially I asked if they logged who had access? When they had access? What they had access to?
